Detail of a calendar page with dates

A week in security (Jun 26 – Jul 02)

Last week, we talked about a new 419 scam that our researchers found in the wild and pushed out a follow up post to a technical support scam using Winlogon. We also spotlighted on a fingerprinting technique used by the Neutrino exploit kit, which looks for the presence of files related to Fiddler and known virtual machines. You can read more about this on the post entitled “Neutrino EK: fingerprinting in a Flash”.

Lastly, we documented an in-depth analysis on Satana, a very young ransomware, with an accompanying reader-friendly version for the less technical.

Notable news stories and security related happenings:

  • IRS Kills Off PINs Citing Increasing Suspicious Activity. “After an embarrassing security breach in February of this year, it issued PINs to millions of Americans to try and protect what secrets they still had. That program was suspended in March after scammers got their hands on enough PINs to file 800 fraudulent returns.” (Source: The Register)
  • Facebook ‘Comment Tagging Malware’ Spreading via Google Chrome. “This malware is mostly targeting Chrome users. It is yet unclear if Firefox or other browsers are affected by the scam or not. One possibility is that users receiving such notifications have had one of their friends hacked and crooks are using their browser to target other contacts.” (Source: HackRead)
  • Changing Your Password Regularly Won’t Fix The Problem – You Need To Change The Entire Password Security System. “The findings went onto suggest that a key contributor for weak and stolen passwords resulted from end users not changing default passwords. It also offered advise stating that firms should mandate all staff to change their passwords at least four times per year with more specific rules consisting of at least eight characters with an uppercase, lowercase, number and special character.” (Source: IT Security Guru)
  • Meeting Ransomware Threats with SIEM. “Technology represents 20 percent or less of the overall challenges to better security outcomes. To meet the increasing intricacy of the threat landscape, security technologies have become more complex to combat these threats, like SIEM (secure information and event management), which deploys user behavior analysis, endpoint threat detection, and other features to detect network anomalies and possible breaches-in-progress.” (Source: LegalTech News)
  • Chrome Vulnerability Lets Attackers Steal Movies From Streaming Services. “David Livshits, a security researcher at the CSRC under the direction of Dr. Asaf Shabtai, has developed an attack proof-of-concept that is able to save a decrypted version of any streamed content protected by Google Widevine DRM and played via Google Chrome on a computer’s disk drive. The proof-of-concept has been tested successfully and consistently on different recent versions of Google Chrome in combination with Netflix streaming services as well as Amazon TV.” (Source: Help Net Security)
  • MEDJACK 2: Old Malware Used In New Medical Device Hijacking Attacks To Breach Hospitals. “The report is based on first-hand research of ongoing advanced persistent attacks detected between late 2015 and early 2016. It includes analysis and case studies from three hospitals hit with MEDJACK 2. ‘These attacks, which target medical devices deployed within hospitals’ computer networks, contain a multitude of backdoors and botnet connections, giving remote access for attackers to launch their campaign.'” (Source: Network World)
  • Ransomware Slams Corporate Office 365 Users With Macro Storm. “Avanan says the attackers tried to send messages to 57 per cent of the organisations on its security platform using Office 365. Users were sent an Office document that invoked the malware via macros. The attack used the Cerber ransomware, which first emerged in March. As well as encrypting user files, it takes over the victim’s audio system to read out its ransom note.” (Source: The Register)
  • Insider Corporate Data Theft And Malware Infections Among Biggest Threat To Digital Business In 2016: Accenture. “According to the State of Cybersecurity and Digital Trust 2016 survey, 69% of the respondents experienced an attempted or successful theft or corruption of data by insiders during the last 12 months, with media and technology organizations reporting the highest rate (77%). The survey was carried out across over 200 C-level security and IT professionals across different geographies and sectors. This insider risk will continue to be an issue, with security professionals’ concerns over insider theft of corporate information alone rising by nearly two-thirds over the coming 12 to 18 months.” (Source: India Times)
  • Fake Fingerprints: The Latest Tactic For Protecting Privacy. “Industrial design student Mian Wei imagines a future in which our biometric information becomes so valuable that people will want to obscure it from view, and mitigate the risks of leaving their fingerprints where someone else might replicate them. To solve this Digital Age security dilemma, Wei created Identity, a wearable finger prosthetic that can be used on fingerprint readers without revealing the user’s actual fingers or thumb.” (Source: Christian Science Monitor)
  • 25,000-strong CCTV Botnet Used For Crippling DDoS Attacks. “Another interesting discovery was that the compromised cameras are able to emulate normal behavior of most popular browsers, in an attempt to make it more difficult for defenders to identify and block the malicious requests. The compromised CCTV cameras are located in Taiwan, USA, Indonesia, Mexico, Malaysia, Israel, Italy, and so on.” (Source: Help Net Security)
  • Biometrics Finally Ready For Prime Time. “There are relatively few things we know for certain in the security industry, but one of them is that the password has become nearly useless as an authentication mechanism. Users are bad at creating them and modern computing resources have advanced to the point that attackers have little trouble cracking even complex passwords. Despite these facts, use of passwords as a primary authenticator has persisted for far longer than experts ever believed it would have.” (Source: Digital Guardian)
  • Planes, Trains And Automobiles Increasingly In Cybercriminal’s Bullseye. “According to IBM’s X-Force security team, the systems behind planes, trains and automobiles have now become bigger paydays for hackers than industries such as the retail sector – once a favorite of crooks after PoS system and credit card data […] Terrorism, as some might think, is nowhere close to a chief motivator behind cyber assaults of airlines, mass transit and passenger rail systems, said Michelle Alvarez, a threat researcher and editor for IBM Managed Security Services.” (Source: Kaspersky’s ThreatPost)
  • Warning: A Wave Of New Viruses Is Targeting Small Businesses. “Undercapitalized and outgunned small businesses are still the weak links in cybersecurity, even though they may have valuable data. Their percentage of IT budget directed to security has been increasing from 4.9 percent in 2010 to 7.9 percent last year, according to Ponemon Institute’s annual IT security Tracking study. But spending still lags behind big companies.” (Source: CNBC)
  • Dangerous Keyboard App Has More Than 50 Million Downloads. “Once the data is collected, it could also be used to create a very deep personal profile of users, shared with third parties, and vulnerable to state-sponsored hackers and criminals. None of this is information that a keyboard app needs to have, he added.” (Source: CSO Online)
  • 1.2 Million Infected: Android Malware ‘Hummer’ Could Be Biggest Trojan Ever. “The mobile phone Trojan family, known as “Hummer,” gained traction in early 2016 when it was infecting ‘nearly 1.4 million devices daily at its peak,’ according to Cheetah Mobile. Hummer is thought to have originated in China relative to underground industry there, based on an email address linked to the domains used, and it saw 63,000 daily infections in China alone.” (Source: TechRepublic)
  • Researchers Sue The Government Over Computer Hacking Law. “The researchers, along with First Look Media Works, which publishes The Intercept, filed a lawsuit today against the Justice Department, asserting that opening fake profiles to pose as job and housing seekers constitutes speech and expressive activity that is protected under the First Amendment. They further argue that because sites can change their terms of service at any time without informing visitors, this can suddenly turn any speech or activity on the site into a criminal act—a violation, they say, of the Fifth Amendment right to due process, which requires proper notice to the public of what constitutes criminal behavior.” (Source: Wired)
  • Brexit Security Implications: Major, And Only Starting To Unfold. “However, another poll of security professionals offered different conclusions, with most respondents believing that a Brexit would weaken cybersecurity because of additional bureaucratic hurdles to information sharing with the EU, as well limited cross-national collaboration in fighting cyber criminals. There is also concern about the possibility of a brain drain – in-demand security talent pool fleeing the UK – which could increasingly impact security and data protection.” (Source: Help Net Security)
  • Legit Tools Helping Attackers Hide Malicious Activity, Study Finds. “Contrary to popular perception, cyber attackers rarely rely on malware after an initial intrusion to carry out their data exfiltration, surveillance, and other malicious campaigns on target networks. Instead, a majority of them leverage legitimate IT tools and the native capabilities of the platform they are exploiting to move about undetected on a victim network, security vendor LightCyber found in a new study.” (Source: Dark Reading)
  • How a Hacker Is Gaming The Media To Extort His Victims. “Hackers using the media to their own ends is not new. Anonymous has distributed attention-grabbing and ready-to-publish imagery or press releases that were easy for journalists to quickly report on. Impact Team, the hackers behind the Ashley Madison breach, sent a link of the data to at least one well-known security journalist. But this latest campaign sticks out in its systematic and very deliberate approach. The Dark Overlord knows how to game the media, and reporters are playing along.” (Source: Motherboard)
  • Top Russian Site Exposes Millions To Info-Stealing Malware. “The SmokeLoader malware is a Trojan which downloads other components (i.e. click-fraud, credential stealers etc.), and it’s being dropped by the RIG EK. SmokeLoader’s primary purpose is to download plug-ins which contain malicious functionality such as credential stealers and click-fraud components.” (Source: InfoSecurity Magazine)

Safe surfing, everyone!

The Malwarebytes Labs Team